No Script, No Fear, All Opinion
RSS icon Home icon
  • EEVblog #499 – What is JTAG and Boundary Scan?

    Posted on July 27th, 2013 EEVblog 14 comments


    What is the JTAG interface and Boundary Scanning, how does it work, and what is it useful for?

    Forum HERE

    XJTAG Unit

    Be Sociable, Share!
     

    14 responses to “EEVblog #499 – What is JTAG and Boundary Scan?” RSS icon

    • Woaw, just woaw ! You opened my eyes about JTAG. As many I thought it was just a programming interface, and now I’m drooling with lubricity thinking about all the hacking that this interface enables :)

      Thank you Dave for another superbly conducted Fundamental Friday.

    • Is JTAG always enabled in end products? I hardly believe there aren’t any lock bits like in ISP where you can erase locked device to unlock it but you can’t read locked firmware for hacks purposes.

      • Keebler: I encourage you to view parts such as ST’s STR712 and STM32. The former you can disable the JTAG interface completely after its passed production testing, whilst the second is more flexible and allows you to disable flash read and write and only allowing flash erase.

        However, lots of production units have ‘back doors’ for analysing failures in the field, but these are typically in application firmware, so can be specific to certain products.

    • Keebler> No, it’s can be disabled or encrypted (eg with RSA encryption)
      In end user product, when encryption is enabled, all information in flash/RAM/… are encrypted.
      All opcodes are desencrypted and interpreted directly in the chips.

    • If you’re hacking/reverse engineering a PCB that doesn’t have an obvious JTAG connector (but suspect it’s still there based on the chips on-board), you can use something like the JTAGulator (http://www.jtagulator.com), which is an open source board I just designed – just connect to test points on the target board and have the tool try to determine if a JTAG interface actually exists.

      Once you’ve determined the pinout, you can use standard JTAG tools, like the XJTAG that Dave shows in the video, to start interfacing directly with the chips, extract firmware, etc. Vendors/engineers like using JTAG, so it’s rare that the functionality is removed from the PCB. We’re starting to see password-protection and other attempts at security, so those would have to be bypassed/defeated in other ways. Fun stuff!

      Joe

    • Michael Dallas

      Incredible, Dave! I had no idea! While I don’t really build that much electronics, I always enjoy learning about stuff like this. Thanks for a very enlightening and enjoyable video.

    • here is a talk on Blackbox JTAG Reverse Engineering http://www.youtube.com/watch?v=Up0697E5DGc

    • This is some great jtag explanation :O

    • JTAG is indeed very flexible !
      it can be used to reverse engineer a board automagically :

      http://nsa.unaligned.org/jrev.php

    • I’ve written a boundary scan JTAG programmer in on of my previous lives – it was just a home brewed thing for in house production.

      Basically one of our boards toggled the 4 JTAG lines the right way and it programmed the attached flash part by setting the pins appropriately and pretending to be the main chip.

      used it to program flash chips and others like DiskOnChip through it. The latter though is extremely slow – it took 20 minutes to program. (Basically my program used boundary scan to toggle the data bus the right way).

      Just another way of in-system programming… no flash controllers or anything needed other than a BSDL file.

    • Very very nice, Dave. Even more professional than normal. Two thumbs up – very informative

    • That XJTAG device and software looks pretty slick. Probably a lot more user-friendly than the ‘BusBlaster + openocd’ setup I (try to) use for programming ARMs.

      I don’t even wanna know how much it costs. I’m quite sure it falls under the “if you have to ask, you can’t afford it” category. =)

    Leave a reply